Out of 96 federal and civilian government agencies, 12 had cybersecurity programs that were at “high risk” and 59 were “at risk,” according to a report from the Office of Management and Budget released in May.
The remaining 25 agencies were labeled as “managing risk.”
The Federal Cybersecurity Risk Determination Report and Action Plan was created in accordance with an early May executive order from President Trump and was a coordinated effort between the OMB and Department of Homeland Security.
It required the agencies to submit risk assessment reports to OMB and DHS, which would asses those reports and then identify areas where agencies need to improve their cybersecurity and create guidelines for that improvement.
The “most significant areas of risk” found in agency cybersecurity assessments were the large amount of older information technology and “shortages of experienced and capable cybersecurity personnel.”
The report laid out four actions it said would be “necessary to address cybersecurity risks across the Federal enterprise”:
- “Increase cybersecurity threat awareness among Federal agencies by implementing the Cyber Threat Framework to prioritize efforts and manage cybersecurity risks;
- Standardize IT and cybersecurity capabilities to control costs and improve asset management;
- Consolidate agency SOCs to improve incident detection and response capabilities; and
- Drive accountability across agencies through improved governance processes, recurring risk assessments, and OMB’s engagements with agency leadership.”
The report also uses a National Institute of Standards and Technology Framework that focuses on five main cybersecurity actions: identify, protect, detect, respond, and recover.
Primary issues noted in the report were that agencies fail to understand or have the resources to combat threats; agencies have a lack of standardized cybersecurity processes and IT capabilities; agencies in some cases don’t have visibility into what is happening on their networks (particularly when it comes to data access); and a lack of agency-wide standardized processes for managing cybersecurity risks.
Each agency was required to submit a signed letter describing their agency’s plan to accept, mitigate, avoid, or transfer cybersecurity risks based on the OMB findings.